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Abstract 

This  paper  presents  work  on  model-based  automation  of 
failure-modes-and-effects  analysis  (FMEA)  applied  to  the 
hydraulic  part  of  a  vehicle  braking  system.  We  describe  the 
FMEA  task  and  the  application  problem  and  outline  the 
foundations  for  automating  the  task  based  on  a 
(compositional)  system  model.  Models  of  the  essential 
hydraulic  components  suitable  to  generate  the  predictions 
needed  for  the  FMEA  are  introduced  and  the  required 
models  of  the  control  software  outlined.  These  models  are 
based  on  constraints,  rather  than  simulation,  and  capture  the 
dynamic  response  of  the  systems  to  an  initial  situation  based 
on  one  global  integration  step  and  determine  deviations 
from  nominal  functionality  of  the  device.  We  also  present 
the  FMEA  results  based  on  this  model. 

1.  Introduction 

Failure-modes-and-effects  Analysis  (FMEA)  is  performed 
by  groups  of  experts  during  the  design  phase  of  a  system.  Its 
core  is  to  exhaustively  go  over  all  potential  component 
faults  and  predict  their  impact  on  the  functionality  of  the 
system  in  order  to  assess  whether  they  can  lead  to  a  critical 
situation  and  violate  safety  requirements,  and  take  steps  to 
minimize  or  mitigate  the  negative  impact  through  a  design 
correction. 

FMEA  was  originally  developed  in  the  military  area  (MIL, 
1980)  and  has  become  a  mandatory  task  in  the  aeronautics 
and  automotive  industries  (see  e.g.  (SAE,  1993)), 
meanwhile  as  part  of  international  standards  for  functional 
safety  (e.g.  ISO  26262  in  the  automotive  industries,  (ISO 
2011))  and  receives  increasing  interest  in  other  areas,  such 
as  automation  systems. 

The  main  result  of  the  analysis  is  a  table  that  relates  certain 
scenarios  (such  as  “Braking  in  forward  motion"), 
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components  or  subsystems  and  their  faults  (“valve  stuck 
open”)  to  the  effects  caused  by  them  in  the  respective 
scenario,  possibly  at  component  level,  next  level,  and 
system  level,  (“right  front  wheel  overbraked;  vehicle 
yawing  to  the  right”)  and  some  other  assessments  (e.g. 
criticality,  detectability,  suggested  design  changes). 

The  analysis  is  performed  by  groups  of  experts,  consuming 
precious  time  and  labor,  and  repetitive,  because  it  has  to  be 
redone  or  revised  for  each  variant  or  version  of  a  system  and 
each  revision  of  a  design.  Current  computer  support  to 
reduce  the  effort  and  time  is  fairly  poor  and  mainly  limited 
to  editors  and  data  handling.  The  key  part  of  the  analysis, 
inferring  the  effects  of  the  assumed  faults,  remains  the  task 
of  the  human  experts.  Although  a  major  part  of  this  analysis 
is  not  very  sophisticated,  but  rather  routine  and  mechanistic, 
it  requires  knowledge  about  the  involved  components  and 
reasoning  about  the  (physical  and  software)  system.  Hence, 
computer  systems  substantially  supporting  it  have  to  be 
knowledge-based  systems.  More  specifically: 

•  a  model-based  solution  is  required  that  can  reason 
about  how  the  (mis-)behavior  of  components  and  their 
interaction  establishes  the  (mis-)behavior  of  the  overall 
system,  because,  during  early  design  stages,  only  a 
blueprint  may  be  available.  (Even  when  a  physical 
prototype  exists,  it  may  be  too  costly,  risky,  or  even 
impossible  to  implant  certain  faults  in  the  physical 
system.) 

•  Exact  parameter  values  of  the  design  may  still  be 
undetermined.  Hence,  the  analysis  cannot  be  based  on 
numerical,  but  only  on  qualitative  models. 

•  Even  if  the  parameters  do  have  fixed  numerical  values, 
the  analysis  is  inherently  qualitative  both  w.r.t  input 
(classes  of  faults,  such  as  “a  leakage”,  rather  than 
“leakage  of  size  x”)  and  relevant  effects  (“loss  of 
pressure  in  wheel  brake”  and  “potentially  reduced 
deceleration”). 

For  both  reasons,  numerical  models  (e.g.  Matlab/Simulink, 
Modelica  models)  are  useless  and  could,  at  best,  produce 
some  incomplete  hints,  based  on  sampling  an  infinite  space 
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of  space  of  scenarios  and  faults.  In  fact,  we  are  not  aware  of 
any  serious  attempt  of  using  numerical  models  for  this 
purpose  in  practice. 

•  The  modeling  effort  must  be  low  to  handle  a  class  of 
systems  and  to  support  repetitive  FMEA  of  design 
variants  and  modifications.  This  needs  to  be  addressed 
by  compositional  modeling,  which  has  to  be  based  on 
a  library  of  generic,  context-independent  component 
models. 

The  systems  that  offer  support  to  the  automated  generation 
of  fault-effect  associations  in  the  context  of  FMEA  are 
based  on  qualitative  models.  The  AutoSteve  system  (Price, 
2000)  was  specialized  on  performing  FMEA  of  electrical 
car  subsystems.  The  AUTAS  project  developed  a  generic 
FMEA  tool  with  applications  to  electrical,  hydraulic, 
pneumatic,  and  mechanical  systems  in  aeronautic  systems 
(Picardi  et  al.,  2004). 

In  collaboration  with  a  German  car  manufacturer,  we 
applied  this  algorithm  to  FMEA  of  a  novel  braking  system, 
which  confronted  us  with  the  need  for  models  of  hydraulic 
components,  especially  valves,  that  are,  on  the  one  hand, 
general  enough  to  be  reusable  and,  on  the  other  hand, 
powerful  enough  to  deliver  the  predictions  relevant  to 
FMEA  of  braking  systems. 

In  this  paper,  we  present  the  core  of  models  that  have 
proven  to  successfully  produce  the  results  needed  for  FMEA 
of  the  braking  system.  The  key  features  of  the  models  are 
that  they 

•  capture  one  integration  step,  but  avoid  any  simulation 
and  are  stated  in  terms  of  constraints  (finite  relations), 

•  are  compositional  and  context -independent, 

•  analyze  how  a  stimulus  in  terms  of  a  local  pressure 
change  (e.g.  pushing  a  brake  pedal)  propagates  through 
the  system. 


•  capture  qualitative  deviations  of  pressure  and  flow  from 
their  nominal  values  resulting  from  component  faults, 

•  can  be  complemented  by  models  of  the  control  software 
functions  for  both  their  correct  and  their  faulty 
behavior,  due  to  the  high  level  of  abstraction. 

The  focus  of  the  work  reported  in  this  paper  is  on 
automatically  determining  the  local  and  global  effects  of 
each  failure  mode  (i.e.  component  fault).  It  first  describes 
the  case  study,  FMEA  of  braking  systems,  and  then 
summarizes  the  foundations  of  model-based  FMEA.  In 
section  4,  we  present  the  key  parts  of  the  models.  The 
results  obtained  for  FMEA  are  discussed  in  section  5. 
Section  6  briefly  outlines  foundations  for  modeling  the 
embedded  software. 

2.  The  Braking  System 

The  target  is  a  novel  braking  system  whose  details  are 
proprietary.  For  safety  reasons,  it  still  has  to  comprise  the 
traditional  braking  function.  Therefore,  we  use  this  part  of 
the  system  in  order  to  illustrate  our  solution. 

A  standard  braking  system  is  mainly  composed  of  hydraulic 
and  mechanical  components  and  the  electronic  control  unit 
(ECU)  and  its  software.  It  contains  a  tandem  pedal  actuation 
unit  (with  two  pistons  and  two  chambers),  valves  (inlet  and 
outlet  types)  and  wheel  brakes,  shown  in  Figure  1. 

The  pedal  actuation  block  (top  right)  comprises  two  pistons 
(PA_P1  and  PA_P2)  and  the  two  chambers  (PA_C1  and 
PA_C2),  where  PA_P1  is  directly  affected  by  pushing  the 
brake  pedal.  Each  chamber  produces  pressure  for  one 
diagonal  wheel  pair,  and  each  wheel  brake  (WB11,  12,  21, 
22)  sits  between  an  inlet  valve  and  an  outlet  valve. 

The  inlet-valves  (M_VI11,  12,  21,  22)  are  piloted  check 
valves;  during  standard  braking  (i.e.  with  no  command), 
they  are  open,  while  the  outlet-valves  (M_V011,  12,  21,  22) 
are  closed.  Pushing  the  brake  pedal  causes  pressure  to  build 


Figure  1.  Braking  system.  Pressure  is  generated  by  two  pistons,  PA_P1,2,  in  two  chambers,  PA_CA1,2,  and  reaches  the 
wheel  brakes,  WBij,  via  open  inlet  valves,  M_VIij,  while  outflow  is  blocked  by  closed  outlet  valves,  M_VOij.  The  impact 
of  inserting  another  valve,  M_Vixx,  is  discussed  in  section  5.3 
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up  in  the  wheel  brakes.  Inlet  valves  always  allow  a  flow 
back  from  the  wheel  brakes,  which  causes  the  diminishing 
of  the  wheel  brake  pressure  if  the  brake  pedal  is  released. 

When  operated  under  the  Anti-lock-braking  system  (ABS), 
the  valves  are  controlled  by  commands  from  the  ECU.  The 
pressure-build-up  phase  is  the  scenario  described  above.  For 
pressure  maintenance,  the  inlet  valve  is  closed.  If  the  speed 
sensors  indicate  that  the  wheels  tend  to  lock  up,  the  outlet 
valves  are  opened  to  release  pressure,  let  the  wheels  spin 
again  and,  thus,  enable  steering  of  the  vehicle.  Then  the 
cycle  is  entered  again. 

Typical  inferences  required  for  FMEA  are 

•  If  an  inlet  valve  is  stuck  closed  under  normal  braking, 
the  respective  wheel  will  be  underbraked  (reduced 
deceleration). 

•  The  same  holds  if  an  outlet  valve  is  stuck  open  under 
normal  braking. 

•  If  an  outlet  valve  is  stuck  closed  during  the  pressure 
release  phase  of  ABS  braking,  the  respective  wheel  will 
be  overbraked,  because  the  pressure  is  not  released. 

•  An  inlet  valve  being  stuck  open  during  this  phase  will 
have  the  same  impact. 

Other  faults  are  leakages  of  the  wheel  brakes  and  the 
chambers,  the  wheel  brakes  and  pistons  being  stuck,  bad 
sensors  etc.  Also  bugs  in  the  embedded  software  have  to  be 
considered,  which  becomes  an  increasingly  important  aspect 
in  functional  safety. 

3.  Model-Based  FMEA 

Predicting  the  principled  impact  of  (classes  of)  faults  in 
(classes  of)  scenarios  is  the  core  of  the  FMEA  task.  In  this 
section,  we  summarize  the  logical  foundation  of  model- 
based  FMEA,  which  have  been  developed  in  the  AUTAS 
project  (see  (Picardi  et  al.,  2004),  (Fraracci,  2009)), 
implemented  as  an  inference  engine  in  Raz’r  (OCC’M, 
2014),  and  applied  to  various  aircraft  subsystems. 

3.1.  Relational  Models 

As  motivated  in  the  introduction,  models  supporting  FMEA 
have  to  be  qualitative.  We  use  finite  qualitative  relations 
over  variables.  Hence,  a  behavior  model  is  regarded  as  a 
relation  R  over  a  set  of  variables  that  characterize  a 
component  or  system:  Rcz  DOM(v),  where  y  is  a  vector  of 
system  variables  with  the  domain  DOM  (y),  which  is  the 
Cartesian  product 

DOM  (y)  =  DOM  (v,)  x  DOM  (v2)  x  ...  x  DOM  (vn). 

So,  a  relation  R  (i.e.  a  constraint)  is  a  subset  of  the  possible 
behavior  space. 


If  elementary  model  fragments  R:J  are  related  to  behavior 
modes  mode^Cj)  of  the  component  Cr  then  an  aggregate 
system  (under  correct  or  faulty  conditions)  is  defined  by  a 
mode  assignment  MA  =  {modeiCj)}  which  specifies  a 
unique  behavior  mode  for  each  component  of  this  aggregate 
whose  model  is  obtained  as  the  join  of  the  mode  models,  i.e. 
the  result  of  applying  a  (complete  version  of)  constraint 
satisfaction  to  { Ry } : 

Rma=  1X1  Rij . 

3.2.  Formalization  of  FMEA 

To  support  FMEA,  it  is  necessary  to  determine  whether  the 
effects  of  a  certain  component  fault  (represented  as  a  mode 
assignment  MA)  violate  an  intended  function  of  the  system. 
If  the  function  is  considered  as  part  of  GOALS ,  then  the  task 
might  mean  to  check  whether  the  fault  model  FMma  is 
inconsistent  with  the  function: 

FMma  u  GOALS  b  7 1 

Often,  the  analysis  is  carried  out  for  particular  mission 
phases  (such  and  “cruising”  or  "landing”  of  an  aircraft)  or 
scenario  Sk  (e.g.  the  three  phases  of  the  ABS  braking  as 
explained  above): 

FMma  u  Sk  u  GOALS  b  7 1 

In  practice,  FMEA  is  not  carried  out  this  way,  but  by 
specifying  effects  Eh  which  are  specific  violations  of  the 
intended  function  (GOALS),  for  instance  too  high  and  too 
low  deceleration  of  a  wheel,  i.e.  underbraking  and 
overbraking: 

Sk  u  L,  b  GOALS  , 

and  the  analysis  determines  the  effects  that  may  occur  under 
a  particular  failure  mode: 

FMma  u  Sk  u£(  b  _L 

Since  models,  scenarios,  and  effects  can  all  be  represented 
by  relations,  we  can  characterize  and  compute  the  effects  of 
the  FMma  as  follows: 

•  RMa  (x\SkciE j 

if  the  failure  mode  is  included  in  effect,  then  the  effect 
will  definitely  occur  (case  £j  in  Figure  2) 

•  Rma  MStn  E2=  0 

if  the  intersection  is  empty,  the  effect  does  not  occur 
(case  E2) 

•  otherwise 

the  effect  may  occur:  E3 

The  above  checks  can  be  performed  using  general 
techniques,  such  as  constraint  solvers  (Rossi  et  al.,  2008)  or 
logical  reasoning  engines  that  can  determine  consistency 
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Figure  2.  Determining  effects 

and  entailment.  We  use  the  FMEA  engine  of  Raz’r 
mentioned  above  (OCC’M,  2014). 

3.3.  Deviations  Models  -  Formalization 

FMEA  is  about  inferring  deviations  from  nominal  system 
function  due  to  a  deviation  from  nominal  component 
behavior.  Hence,  not  the  magnitude  of  certain  quantities 
matter,  but  the  fact  whether  or  not  they  deviate  from  what  is 
expected  under  normal  or  safe  behavior. 

This  is  why  deviation  models  (Struss,  2004)  offer  the  basis 
for  a  solution:  they  express  constraints  on  the  deviations  of 
system  variables  and  parameters  from  the  nominal  behavior 
and  capture  how  they  are  propagated  through  the  system. 

For  each  system  variable  and  parameter  vn  the  deviation  is 
defined  as  the  sign  of  the  difference  between  the  actual  and 
a  reference  value: 

Av  :=  sign(vact  -  vref). 

Then  algebraic  expressions  in  an  equation  can  be 
transformed  to  deviation  models  according  to  rules  like 

a  +  b  =  c  =>  Ao  +  Ab  =  Ac 
a  *  b  =  c  =>  aact  *  A b  +  bacl  *  Aa  -  Aa  *  Ab  =  Ac  , 

where  +,  -,  *  on  the  right-hand  side  should  be  interpreted  as 
operators  over  the  sign  domain. 

Furthermore,  for  any  monotonically  growing  (section  of  a) 
function  y  =  f(x),  we  obtain  Av  =  Ax  as  an  element  of  a 
qualitative  deviation  model. 

For  instance,  the  deviation  model  of  a  valve  is  given  by  the 
constraint 

A Q  =  A*  (APrAP2)  +  AA  *  (PrP2)  -  AA  *  (APrAP2) 

on  the  signs  of  the  deviations  of  pressure  (A Pi),  flow  (A0, 
and  area  (AA).  This  constraint  allows,  for  instance,  to  infer 
that  Pl  being  too  large  (A P{  =  +)  causes  an  increased  flow 
(A Q  =  +),  if  P2  and  the  area  remain  unchanged  (A P2  =  0,  A A 
=  0)  and  the  valve  is  not  closed  (A  =  +).  Such  qualitative 
deviation  models  specify  finite  relations  over  the  qualitative 
variables  and  can  be  constructed  from  first  principles 
(differential)  equation  models,  if  they  exist.  Under  certain 
conditions  (piecewise  monotonic  functions)  these  relations 


can  be  calculated  automatically  from  numerical  models 
(Struss  et  al.,  201 1). 

Note  that  in  contrast  to  model-based  diagnosis,  where  we 
may  use  the  very  same  models,  we  do  not  face  the  problem 
of  determining  whether  a  certain  sensor  value  indicates  a 
qualitative  deviation  or  not:  in  FMEA,  there  are  no 
measurements;  a  deviation  is  simply  assumed  as  the  starting 
point  of  the  analysis. 

4.  Hydraulic  Models 

The  literature  on  qualitative  modeling  does  not  deliver  a 
ready-made  library  of  hydraulic  models  that  could  be  used 
for  real  applications  like  the  one  we  are  tackling.  Especially 
for  valves,  most  of  the  proposed  models  compile  strong 
assumptions  about  the  context  into  the  models,  which  makes 
them  inappropriate  for  a  library  of  generic,  reusable 
component  models.  What  is  it  that  makes  hydraulic 
modeling  hard?  While  we  can  easily  model,  for  instance,  a 
resistor  network  by  simultaneous  equations  characterizing 
the  steady  state,  the  analysis  of  hydraulic  systems  often 
focuses  on  the  transitions,  and  the  finally  reached 
equilibrium  may  be  uninteresting  (e.g.  all  connected  parts 
with  equal  pressure).  Pressures  determine  flows,  which  in 
turn  determine  change  of  pressure.  Hence,  the  analysis  has 
to  include  some  integration  step  (in  the  mathematical  sense), 
and  our  component  models  duplicate  variables  to  describe 
states  “before”  and  (directly)  “after”. 

Another  problem  dimension,  which  is  not  dealt  with  in  this 
paper,  is  related  to  the  fact  that  often,  the  nature  of  the  stuff 
that  flows  cannot  be  ignored,  e.g.  when  there  is  air  in  a 
hydraulic  circuit. 

In  the  following,  we  present  the  core  pieces  of  the 
qualitative  hydraulic  model  that  we  used  to  solve  the  FMEA 
task.  Our  starting  point  was  our  early  work  on  modeling  for 
diagnosis  of  braking  systems  (Struss  et  al.,  1997),  and  we 
created 

•  a  relational  model  that 

•  qualitatively  captures  the  system’s  direct  response  to 
some  initial  condition,  especially 

•  in  terms  of  deviations  from  nominal  behavior,  and 

•  can  be  used  by  the  FMEA  engine  whose  basis  was 
outlined  in  section  3.2. 

Despite  its  simplicity,  it  turns  out  to  be  quite  powerful  and 
appropriate  for  generating  the  kind  of  information  needed 
for  the  FMEA  task.  We  first  characterize  its  scope  by 
discussing  the  most  important  requirements  and  modeling 
assumptions  underlying  it  and  then  present  the  various 
“slices”  of  the  key  component  models,  namely  valve  and 
volume. 
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4.1.  Modeling  Methodology  and  Assumptions 

In  the  current  model,  we  assume  that  there  is  one  source  of 
pressure,  or,  more  precisely,  a  unique  maximal  pressure 
level  generated  by  components  or  some  external  force.  In 
our  application,  this  is  determined  by  the  driver  pushing  the 
brake  pedal.  It  is  not  fixed  to  a  particular  numerical  value, 
but,  rather,  by  the  fact  that  the  pressure  in  the  system  cannot 
exceed  it.  We  are  convinced  that  the  approach  can  be 
extended  to  multiple  source  levels,  but  did  not  implement 
such  a  model  and  make  no  claims. 

This  assumption  is  reflected  by  the  chosen  domain  for 
pressure: 

PosSign3:={0,  (+),+}, 

where  +  is  the  source  pressure  (and  maximal),  0  corresponds 
to  the  sink  (in  our  case  the  reservoir  of  the  liquid),  and  (+)  is 
any  pressure  in  between.  For  pressure  drops  and  flows,  only 
their  direction  matters,  i.e.  their  domain  is  Sign  =  {-,  0,  +}. 
Valves  are  assumed  to  be  either  closed  ( A  =  0)  or  open  (A  = 
+),  which  does  not  imply  they  are  completely  open. 

The  next  assumption  (a  requirement  of  our  application)  is 
that  the  interest  is  in  determining  the  systems  direct 
response  to  an  initial  situation.  To  illustrate  what  this  means 
(and  what  is  excluded),  consider  the  right-hand  part  of  Fig. 
3  with  a  volume  component  Vol2,  with  initial  pressure  0, 
connected  via  open  valves  on  the  right  to  a  volume  Vol, 
with  pressure  P=+  in  the  initial  scenario  S0,  and  on  the  left 
to  another  volume  Vol3  with  initial  pressure  (+).  The  state 
following  this  initial  situation  will  be  a  state  with  positive 
inflows  Q  into  Vol2,  and  this  is  what  the  model  should 
predict  (scenario  Si  in  Fig.  3).  There  may  be  a  future  state, 
in  which  the  pressure  in  Vol2  exceeds  the  one  in  Vol3,  and 
the  flow  through  the  respective  valve  reverses.  This  is  not 
what  we  are  interested  in,  and  accordingly,  we  exclude  such 
multiple  changes  of  qualitative  values.  Also,  no  other  event 
should  occur  during  the  period  of  interest,  especially  no 
valve  changes  its  state.  We  furthermore  assume  pressure  to 
be  homogeneous  in  a  volume  and  ignore  time  required  to 
achieve  or  approximate  the  situation. 


To  simplify  the  presentation  in  this  paper,  we  assume  that 
there  are  no  deviations  in  the  initial  situation.  This 
assumption  can  be  dropped  if  the  system  response  to  a 
deviating  initial  situation  is  of  interest. 

The  modeling  is  not  ad-hoc,  but  follows  a  clear  and 
general  methodology  that  can  be  applied  to  other 
components  and  systems.  A  qualitative  deviation 
component  model  is  constructed  from  an  equation-based 
model  Me  as  the  union  of  five  sets  of  constraints,  three 
obtained  as  transformations  of  Mc: 

•  Q(Me):  the  qualitative  abstraction  of  Me 
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Figure  3.  Volume- Valve  sequence 


•  5(Me):the  qualitative  abstraction  of  the  derivative 
version  of  Me 

•  A(MC):  the  qualitative  deviation  model  of  Me 

and  two  set  of  constraints  representing  the  qualitative 

integration  constraints,  which  are  generic  and 

independent  of  Me: 

•  I(x):  the  qualitative  integration  constraint  for  the 
variables 

•  I(Ax):  the  qualitative  integration  constraint  for  the 
deviations. 
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Figure  4.  The  elements  of  valve  and  volume  models 
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We  present  the  different  elements  of  the  models,  which  are 
summarized  in  Figure  4.  We  do  so  step  by  step  in  order  to 
demonstrate  the  necessity  of  each  model  slice  and  its 
contribution. 

4.2.  Base  Models 

The  core  of  the  models  is  given  by  the  qualitative 
abstractions  of  the  standard  (differential)  equations.  A  key 
requirement  is  that  the  component  models  are  local  and 
context-independent  in  order  to  be  compositional  as 
required  by  the  application  task. 

For  the  valve,  the  terminals  T,  are  its  hydraulic  connections 
(it  has  another  one  for  the  control  command).  With  the 
convention  that  a  positive  flow  is  going  into  the  respective 
component,  we  obtain 

Tl.Q  =  A*(Tl.P-T2.P), 

where  pressure  subtraction 

- :  {0,  (+),  +  }x{0,  (+),+}  ^  {-,  0,+} 

is  defined  as 

0  -  0  =  +  -  +  =  0, 

+  -  (+)  =  +  -  0  =  (+)  -  0  =  + 

0  -  (+)  =  0  -  +  =  (+)  -  +  =  - 

(+)  -  (+)  unrestricted. 

The  second  element  is  Kirchhoff  s  Law  (see  Fig.  4,  row  1). 

Since  A  is  the  actual  opening  of  the  valve,  these  elements 
apply  to  all  behavior  modes  of  a  valve  except  leakages. 

The  base  model  of  a  volume  is  straightforward.  To  simplify 
the  presentation,  we  consider  a  volume  with  only  one 
terminal  (like  the  wheel  brake).  If  there  is  more  than  one 
terminal,  Ti .Q  is  replaced  by  the  sum  of  all  flows  across  all 
terminals  (or  the  volume  is  connected  to  a  joint  capturing 
the  various  flows,  as  done  in  the  brake  model).  In  case  of  a 
leakage,  also  the  resulting  leak  flow  has  to  be  included.  dP 
denotes  the  qualitative  derivative  with  the  domain  Sign. 

The  results  obtained  by  this  base  model  do  not  always 
contain  an  answer  relevant  to  the  FMEA  task.  In  our  brake 
system,  normal  braking  happens  when  the  inlet  valve  is 
open  and  the  outlet  valve  is  closed.  The  consequence  is 
pressure  (+)  in  the  wheel  brake.  If  the  outlet  valve  is  stuck- 
open,  there  will  be  an  outflow  (after  one  integration  step). 
The  wheel  brake  pressure  is  still  (+).  But  the  important  point 
is:  it  is  less  than  under  nominal  conditions.  Therefore,  we 
add  a  layer  of  deviation  models,  as  shown  in  Figure  4. 

4.3.  Deviation  Models 

The  deviation  models  are  easily  obtained  from  the  algebraic 
equations  of  the  base  models.  However,  they  are  quite 
powerful  and  provide  the  prediction  we  need  for  FMEA  in 
the  scenario  discussed  above:  the  inflow  via  the  inlet  valve 


will  have  a  deviation  0,  while  the  flow  towards  the  outlet 
valve  has  a  negative  deviation  (being  negative  instead  of  0), 
and,  hence,  will  cause  a  negative  deviation  A  dP  (“reduced 
pressure  built-up”). 

Again,  the  deviation  model  applies  to  each  instance  of  time. 
But  still,  we  need  to  answer  the  question  how  we  represent 
and  predict  the  overall  system  response  properly. 

4.4.  Integration,  Continuity,  Persistence 

This  model,  which  applies  to  every  point  in  time,  still  has 
limited  utility.  Consider  again  a  sequence  of  three  or  more 
connected  volumes  (as  in  Figure  3),  each  with  initial 
pressure  0,  except  for  Vob,  which  has  a  pressure  (+).  What 
we  would  like  to  predict  is  a  flow  through  all  valves  from 
right  to  left  (scenario  S37  in  Fig.  3).  The  model  as  it  stands 
will  predict  a  flow  into  Vol2  and  zero  flows,  otherwise  (S38). 
Of  course,  the  pressure  derivative  in  Vol2  is  positive.  Hence, 
after  integration,  the  pressure  becomes  (+),  too,  and 
applying  the  model  will  lead  to  a  flow  from  Vol2  to  Vol3  - 
but  leave  the  flow  from  Volj  to  the  second  Vol2  unrestricted, 
because  of  pressure=(+)  for  both  (S3g).  If  there  are  n  more 
volumes,  n  integration  steps  are  required  in  order  to  let  the 
flow  reach  the  last  one  -  and  leave  all  other  flows 
undetermined.  -  Obviously,  this  is  not  what  we  need. 

In  our  model,  we  consider  two  temporal  slices  of  the  system 
behavior:  the  initial  situation  and  the  one  capturing  the 
direct  global  system  response,  i.e.  a  representation  of  the 
state  after  the  effect  of  pressure  differences  has  been 
propagated  to  all  (connected)  parts  of  the  system.  This 
means,  we  neglect  the  time  needed  for  this  propagation  and 
apply  some  kind  of  “temporal  factorization”  (Pietersma  & 
van  Gemund,  2007). 

The  initial  state  is  characterized  by  variables  P0,  Q<h  etc., 
while  the  next  state  is  represented  by  P ,  Q,  etc. 

Then  the  integration  step  can  be  represented  as  a  constraint 
on  different  variables,  namely  PQ,  dP,  P.  The  crucial  point  is 
that  we  do  not  choose  dP0,  but  dP,  i.e.  the  derivative  after 
the  impact.  Figure  4  shows  the  respective  constraint  in  row 
4,  column  3.  It  expresses  more  than  the  continuous 
transition  from  P0  to  P  dependent  on  dP.  It  excludes 
transitions  from  (+)  to  +  or  0,  expressing  the  restriction  of 
the  predictions  to  the  next  state  (which  implies  the  exclusion 
of  state-changing  events). 

Starting  from  some  initial  situation  and  the  respective  values 
of  P0 ,  Q(h  etc.,  how  can  we  determine  dP  instead  of  only 
SPqI  This  is  supported  by  the  constraint  on  flows  shown  in 
row  4,  column  2  of  Figure  4.  Again,  it  captures  more  than 
continuity:  non-zero  flows  are  considered  to  be  persistent, 
which  again  expresses  the  restriction  to  the  next  qualitative 
state  and  the  exclusion  of  events  that  change  the  direction  of 
flow.  This  achieves  the  intended  prediction,  for  instance,  for 
the  volume  sequence  discussed  above:  Q0  and  hence,  also  Q 
from  Voli  to  Vol2  is  determined  to  be  non-zero,  which 
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suffices  to  determine  dP  =  +  and  P  =  (+)  for  Vol2.  This 
implies  a  positive  flow  into  Vol3,  etc. 

Without  further  distinctions  between  sink  and  source 
pressures,  i.e.  within  (+),  the  model  developed,  so  far,  may 
appear  quite  weak,  being  unable  to  determine  the  direction 
of  flow  between  two  volumes  with  pressure  (+).  Consider 
another  initial  scenario,  S67,  for  the  hydraulic  chain  in  Fig. 
3,  where  initially,  all  volumes  have  pressure  (+),  the  valves 
are  open,  but  there  are  no  flows  across  them  (because  all 
volumes  have  exactly  the  same  pressure).  If  we  connect 
Vol  |  to  a  source  (pressure  +)  and  the  left-most  valve  to  a 
sink  (pressure  0),  again  we  expect  a  flow  from  right  to  left 
(S68).  However,  the  model  slices  presented,  so  far,  are 
unable  to  derive  this,  because  the  inflow  to  Vol!  leaves  its 
pressure  at  (+),  and  the  flow  through  Valve!  remains 
undetermined.  What  enables  us  to  predict  the  change  is  the 
consideration  that  the  pressure  in  Voli  has  increased, 
exceeds  the  one  in  Vol2  and,  hence,  produces  a  flow  into 
Vol2,  and  so  on.  We  can  capture  this  by  adding  a  derivative 
of  the  base  model  that  links  change  in  pressure  and  change 
in  flow,  as  shown  in  row  2  of  Fig.  4  (We  omit  producing 
constraints  involving  the  second  derivative,  what  would 
happen  for  the  volume).  This  model  successfully  generates 
the  expected  result  S68. 

Finally,  we  add  a  constraint  that  integrates  the  deviations 
(row  5  of  Figure  4).  Intuitively,  this  states  that  if  the 
derivative  of  a  quantity  deviates  from  the  nominal  value, 
then  so  does  the  quantity  itself.  This  is  based  on  the 
assumption  that  the  initial  situation  does  not  contain 
deviations.  If  it  is  dropped,  an  initial  pressure  deviation  has 
to  be  added. 

5.  FMEA  Results 

5.1.  Scenarios 

We  used  the  model  whose  core  has  been  outlined  in  section 
4  to  produce  an  FMEA  of  the  braking  system  described  in 
section  2  for  a  number  of  scenarios:  braking  and  non¬ 
braking  with/without  ABS  for  a  moving/no-moving  car.  In 
the  following,  we  focus  on  the  scenario  “Standard  braking 
while  car  moving",  which  is  identical  to  the  1st  phase  of 
ABS  braking  as  explained  in  section  2.  This  scenario  is 
defined  as: 

•  no  commands  to  all  valves:  Cmd  =  0  (i.e.  under  normal 
conditions  inlet  valves  open,  outlet  valves  closed) 

•  the  initial  hydraulic  pressure  of  all  wheel-brakes  are 
zero:  WBxy.P0  =  0 

•  velocity  v  >  0  for  all:  WBxy.v  =  + 

•  constant  pressure  P  on  the  piston  PA_Pi  exerted  by  the 
brake  pedal:  PA_Pi.P  =  + 

•  no  deviation  of  the  pedal  pressure:  PA_P|.A/J  =  0  and 
PA_P|.AoP  =  0 


For  the  "maintain  pressure"  phase,  the  commands  to  the 
inlet  valves  are  set  to  1,  and  the  wheel  brake  pressures  are 
(+)  (from  the  previous  phase).  In  the  "release  pressure" 
scenario,  the  commands  to  the  outlet  valves  also  become  1 . 

5.2.  System  Level  Effects 

The  system  effects  are  defined  by  the  experts  as  the  relevant 
deviations  from  the  intended  function.  For  the  braking 
system,  this  includes  the  following  effects: 

•  soft  pedal,  P  =  +;  A P  =  0  and  A dpos  =  +;  where  pos 
indicates  the  position  of  piston  PA_Pi:  when  pushed 
(without  deviation),  the  piston  (and,  hence,  the  pedal) 
moves  faster  than  normal 

•  hard  pedal,  like  soft  pedal  with  A  dpos  =  - 

•  underbraking,  reduced  deceleration  of  a  wheel: 
WBxy.Adv  =  +  where  xy  indicates  the  wheel  involved 

•  overbraking, 

too  much  deceleration:  WBxy.Adv  =  - 

•  potential  no  steering,  both  front  wheels  are 
underbraked  (and,  hence,  may  lock  up) 

•  yawing  to  left, 

WB2i  .Adv-WB  1 1  .Adv  +  WB22.Adv-WBl2.Adv  =  + 

AND  NOT 

WB21.Adv-WB„.Adv+WB22.Adv-WB12Adv  =  - 
where: 

WB2):  left  front  wheel;  WBn:  right  front  wheel; 

WB22:  left  rear  wheel;  WB12:  right  rear  wheel . 

This  means:  underbraking  of  at  least  one  wheel  on  the 
right-hand  side  or  overbraking  of  at  least  one  wheel  on 
the  left-hand  side  and  no  possibly  counteracting 
under/overbraking. 

•  yawing  to  right 

WB  2 1 .  A3v- WB 1 1 .  Ad  v  +  WB22.Aov-WBl2.Aov  =  - 
AND  NOT 

WB21.Adv-WB  1 1  .Adv+WB22.  Adv  -WB  12A3v  =  + 

•  potential  yawing 

WB2i  .Adv-WB  1 1  .Adv  +  WB22.Adv-WB12.Adv  =  - 
WB2i  .Adv-WB  1 1  .Adv  +  WB22.Adv-WB12Adv  =  + 

Some  over/underbraking,  but  none  of  the  above  cases 
(i.e.  potential  compensation  of  yawing) 

•  loss  of  liquid,  Qleakx  =+,  where  Qleakx  is  the  leakage 
liquid  flow  and  x  indicates  (as  above)  the  respective 
wheel  involved. 

5.3.  Results 

The  qualitative  model  has  been  implemented  in  Raz'r 
(OCC'M,  2014),  an  environment  for  model-based  diagnosis, 
prediction,  and  FMEA.  Partial  results  for  the  scenario 
“Standard  braking  while  car  is  moving”  are  shown  in  Fig.  5. 


781 


Annual  Conference  of  the  Prognostics  and  Health  Management  Society  2014 


Scenario 

Part 

Failure 

mode 

Local 

effect 

System 

level 

effect 

3faking  CarMoving 

PAC1 

SealBroken 

»no  local  effect« 

SoftPedal 

3raking  CarMoving 

PAC1 

AirlnChamber 

»no  local  effect« 

:SoftPedal 

3raking  CarMoving 

PAP1 

StucklnNonBrakingPosition 

HardPedal 

3raking  CarMoving 

PAP1 

StucldnNonBfakingPosition 

nxedlnNotPushedPosition 

:WB11  Underbraked 

Braking  CarMoving 

PA  PI 

StucklnNonBrakingPosition 

:WB21  Undeibraked 

3raking  CarMoving 

PA  PI 

StucklnNonBrakingPosition 

:WB12  Underbraked 

Braking  CarMoving 

PA  PI 

StucklnNonBrakingPosition 

:WB22  Underbraked 

Braking  CarMoving 

PA  PI 

StucklnNonBrakingPosition 

:HardPedal 

Bfaking  CarMoving 

PA  PI 

StucklnNonBrakingPosition 

:PotentialYawing 

Braking  CarMoving 

PA  PI 

StucldnBrakingPosition 

HardPedal 

:HardPedal 

Braking  CarMoving 

PA  P2 

StucklnNonBrakingPosition 

HardPedal 

Braking  CarMoving 

PA  P2 

StucklnNonBrakingPosition 

nxedlnNotPushedPosition 

:WB12  Underbraked 

Braking  CarMoving 

PA  P2 

StucklnNonBrakingPosition 

:WB22  Underbraked 

3raking  CarMoving 

PA  P2 

StucklnNonBrakingPosition 

:HardPedal 

Braking  CarMoving 

PA  P2 

StucklnNonBrakingPosition 

:PotentialYawing 

Braking  CarMoving 

PA  P2 

StucldnBrakingPosition 

HardPedal 

:HardPedal 

Braking  CarMoving 

PA  C2 

SealBroken 

»no  local  effect« 

:SoftPedal 

3ralang  CarMoving 

PA  C2 

AirlnChamber 

»no  local  effect« 

:SoftPedal 

3raking  CarMoving 

M  V111 

BlockedClosed 

NoFlow 

3raking  CarMoving 

M  VIII 

BlockedClosed 

ReducedFlow 

:WB11  Underbraked 

3raking  CarMoving 

M  V111 

BlockedClosed 

:HardPedal 

3raking  CarMoving 

M  VIII 

BlockedClosed 

:YawingToLeft 

3raking CarMoving 

MVI11 

BlockedOpen 

»no  local  effect« 

:»no  system  level  effects« 

Braking  CarMoving 

WB22 

Leakage 

Underbraked 

:WB22  Underbraked 

Braking  CarMoving 

WB22 

Leakage 

:SoftPedal 

Braking  CarMoving 

WB22 

Leakage 

:WB22  LossOfljquid 

Braking  CarMoving 

WB22 

Leakage 

:YawingToRight 

Braking  CarMoving 

WB22 

StucklnNonBrakingPosition 

Underbraked 

:WB22  Underbraked 

Braking  CarMoving 

WB22 

StucklnNonBrakingPosition 

:YawingToRight 

3raking_CarMoving 

WB22 

StucldnBrakingPosition 

»no  local  effect« 

:»no  system  level  effects« 

Figure  5.  Partial  FMEA  (omitting  repetitive  results) 


Columns  2  and  3  refer  to  the  respective  component  and 
failure  mode,  while  column  4  states  the  effects  local  to  this 
component,  and  column  5  contains  the  system  level  effects. 
This  table,  which  is  generated  within  seconds  (as  opposed  to 
person  days  if  carried  manually),  is  complete  and  correct 
when  compared  to  FMEA  tables  produced  by  experts. 

Despite  its  simplicity,  the  model  turns  out  to  be  quite 
powerful.  To  illustrate  this,  consider  the  table  entry  for  the 
inlet  valve  M_VIn  BlockedClosed  in  Figure  5.  It  predicts 
that  the  respective  Wheel  brake,  WB , ,  is  underbraked,  while 
WB2i  behaves  normally,  because,  after  all,  it  receives  the 
proper  pressure. 

When  we  insert  another  valve  between  the  chamber  PA_C1 
(with  pressure  +)  and  JointT2_l  the  valve  M_IVXX  indicated 
in  Fig.  1),  then  besides  WBn  underbraked,  also  WB2] 
overbraked  is  predicted,  because  of  a  higher  flow  through 
M_IV2i  due  to  the  blockage  of  M_IVn. 

6.  Software  Models 

Including  the  consideration  of  the  embedded  software  and, 
hence,  in  our  approach,  a  qualitative  deviation  model  of  it,  is 
necessary  for  two  reasons: 

•  the  impact  of  a  sensor  fault  can  only  be  analyzed  by 
considering  how  the  software  functions  that  depend  on 


the  sensor  value  process  it  to  determine  actuator  signals 
to  the  physical  components, 

•  the  software  itself  may  contain  bugs  that  lead  to 
behavior  deviations  of  the  controlled  physical  system. 

In  the  following,  we  briefly  outline  the  basis  for  modeling 
the  software  appropriately  and  refer  to  Struss  (2013)  for  the 
principles  and  Struss  &  Dobi  (2013)  for  an  application. 

In  our  case  study,  for  investigating  the  impact  of  a  failure  of 
a  sensor  that  measures  the  rotational  speed  of  a,  we  need  a 
model  of  the  intended  behavior  of  the  ECU,  more  precisely 
the  software  functions  that  control  the  valves  based  on  the 
measured  wheel  speed:  it  has  to  issue  a  command,  cmd=l, 
when  the  wheel  speed  drops  below  a  certain  threshold.  For 
two  different  thresholds,  the  commands  cause  an  inlet  valve 
to  close  and  an  outlet  valve  to  open,  respectively.  In  our 
context,  the  only  interesting  aspect  is  how  the  (correct) 
function  propagates  a  deviation  of  a  sensor  value  (or  a 
missing  one). 

Slightly  simplified,  this  can  be  stated  as 
A cmd  =  -Av_s  , 

where  v_s  is  the  sensor  signal  and  A  cmd  is  defined  on  the 
domain  {0,  1}  of  cmd.  If  the  v_s  is  too  low  (high),  i.e. 
deviates  negatively  (positively)  and,  hence,  reaches  the 
threshold  too  early  (too  late),  this  causes  the  command  to  be 
set  too  early  (too  late),  i.e.  deviate  positively  (negatively). 
The  OK  model  of  the  inlet  valve  contains 

AA  =  -A cmd  , 

while  the  outlet  valve  includes 

AA  =  A  cmd  . 

In  summary,  based  on  the  OK  models  of  the  software  and 
the  physical  components,  the  impact  of  the  sensor  failure 
will  be  determined  as  for  the  respective  valve  failures,  in 
particular  overbraking  and  underbraking. 

The  relevant  failures  of  the  software  itself  are 

•  untimely  command  (which  includes  “command  sent  too 
early”,  e.g.  due  to  a  high  threshold  value,  and 
“command  always”):  A  cmd  =+  and 

•  missing  command  (“command  too  late  or  never”): 

A  cmd  =  -,  triggering  the  same  effects  as 

AA  =+  (AA  =  -)  for  the  inlet  (outlet)  valve. 

For  analogue  actuator  signals,  the  deviations  generated  by 
the  software  (either  caused  by  a  wrong  sensor  input  or  by 
itself)  would  be  “too  high”  and  “too  low”. 

This  may  seem  to  be  over-simplified.  However,  consider 
that  FMEA  and  also  the  broader  safety  analysis  is  ultimately 
targeted  at  determining  the  failure  behavior  of  the  physical 
system  and  its  criticality,  and  that  software  bugs  are  relevant 
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only  with  regard  to  their  impact  on  this,  which  is  totally 
specified  by  (deviating)  actuator  signals.  This  boils  down  to 
faults  “untimely/no  command”  for  Boolean  signals  as 
discussed  above  and  “signal  too  high/too  low”  for  analogue 
ones.  Hence,  this  “physics-centered”  perspective  makes 
modeling  software  faults  at  this  high  abstraction  level 
feasible. 

7.  Discussion 

According  to  the  evaluation,  so  far,  the  models  produced 
according  to  the  proposed  methodology  generate  the  results 
required  by  FMEA. 

We  pointed  out  that  the  scope  of  the  models  is  limited;  for 
instance,  they  do  not  capture  the  impact  of  air  entering  the 
hydraulic  circuit.  Also,  there  may  be  some  relevant  long¬ 
term  impact  of  a  fault,  which  is  missed  by  the  system,  for 
instance  that  a  small  leakage  may  not  have  a  dramatic  effect 
immediately,  but  ultimately  causes  a  relevant  drop  in  the 
amount  of  liquid  and  pressure. 

However,  the  goal  of  building  such  tools  cannot  be  to 
completely  replace  the  human  analysis,  but  rather 
automatically  generate  the  tables  for  the  vast  majority  of 
cases  within  seconds  instead  of  person  days  as  in  the  manual 
process  and  leave  the  sophisticated  cases  to  the  human 
experts. 

Currently,  functional  safety  analysis  gains  increased 
importance,  for  instance  in  the  automotive  industries 
through  the  new  ISO  26262  standard.  This  analysis  has  to 
go  beyond  the  pure  characterization  of  the  physical  behavior 
and  also  assess  its  consequences  for  hazards  in  various 
situations,  such  as  collisions,  personal  damage,  and 
environmental  impact.  In  a  different  case  study,  functional 
safety  analysis  of  a  drive  train  of  a  truck,  described  in  Struss 
&  Dobi  (2013),  we  extended  the  analysis  in  order  to  derive 
such  conclusions  (the  risk  of  collisions  with  other  vehicles, 
persons,  or  obstacles  in  different  traffic  scenarios) 
automatically. 
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